Ashar Javed is a research assistant in Ruhr University Bochum, Germany and working towards his PhD. He has been listed ten (`X`) times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke in the main security venues like Hack in the Box, DeepSec, OWASP Spain and OWASP Seminar@RSA Europe.

Abstract :

Cross-Site Scripting (XSS) attacks are at number one in Open Source Vulnerability Database (OSVDB) and according to a recent report by Trustwave, 82% of web applications are vulnerable to XSS flaws. PHP---Hypertext Preprocessor is by far the most popular server-side web programming language. In this paper, we perform security analysis of PHP-based XSS protection mechanisms available in the wild. The analysis includes PHP's built-in functions (11 common examples of using PHP's built-in functions in the wild), 10 popular customized solutions powering thousands of PHP files on GitHub and 8 commercially used open-source web applications' frameworks like CodeIgniter (in use on hundreds of thousands of web applications), htmLawed (its Drupal module has been downloaded more than 19000 times), HTML Purifier (integrated in a another popular PHP framework named Yii), Nette (in use on a website of the president of The Czech Republic), PHP Input Filter (more than 1500 PHP files on GitHub are using it), PEAR's HTML Safe (powering more than 100 PHP files), CakePHP (in use on more than 20K PHP files) and Laravel PHP framework (winner of best PHP framework of the year 2013) etc. This paper shows how a motivated attacker can bypass these XSS protection mechanisms. We show XSS bypasses for modern and old browsers and report other issues that we found in these protection mechanisms. The developers of CodeIgniter, htmLawed, HTML Purifier and Nette have acknowledged our findings and our suggestions have been implemented in top-notch frameworks like CodeIgniter, htmLawed and Nette.